Windows VPN Connection Errors — Error 800, 809, 628 and L2TP/IPsec Issues
About Windows VPN Connection Errors
Fix Windows built-in VPN connection errors including Error 800 (tunnel failed), Error 809 (blocked ports), and L2TP/IPsec NAT traversal failures. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: Windows supports built-in VPN protocols: IKEv2, SSTP, L2TP/IPsec, and PPTP. Error 800: VPN tunnel could not be established (server unreachable or connection refused). Error 809: network connection between computer and VPN server could not be established (blocked ports). Error 628: connection was terminated by the remote computer before it could be completed. L2TP/IPsec requires UDP ports 500 and 4500 for NAT traversal. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: VPN server address incorrect or server not responding. Firewall blocking VPN ports (UDP 500, 4500 for L2TP; TCP 443 for SSTP). Pre-shared key mismatch between client and VPN server. NAT device between client and server not supporting IPsec passthrough. Windows VPN client behind double NAT causing L2TP failures. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Verify VPN server address and test connectivity: ping or telnet to the server address. For L2TP behind NAT: add registry key AssumeUDPEncapsulationContextOnSendRule=2 (DWORD) at HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent. Check firewall: ensure UDP 500, 4500 (L2TP) or TCP 443 (SSTP) are open. Verify pre-shared key matches the server configuration exactly. Try IKEv2 or SSTP protocol instead of L2TP if NAT traversal issues persist. Restart IPsec service: net stop ikeext && net start ikeext && net stop PolicyAgent && net start PolicyAgent. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Windows Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Why does L2TP fail behind NAT?
L2TP/IPsec was not designed for NAT. The NAT traversal registry fix (AssumeUDPEncapsulationContextOnSendRule=2) enables UDP encapsulation to work through NAT devices.
Overview
Fix Windows built-in VPN connection errors including Error 800 (tunnel failed), Error 809 (blocked ports), and L2TP/IPsec NAT traversal failures.
Key Details
- Windows supports built-in VPN protocols: IKEv2, SSTP, L2TP/IPsec, and PPTP
- Error 800: VPN tunnel could not be established (server unreachable or connection refused)
- Error 809: network connection between computer and VPN server could not be established (blocked ports)
- Error 628: connection was terminated by the remote computer before it could be completed
- L2TP/IPsec requires UDP ports 500 and 4500 for NAT traversal
Common Causes
- VPN server address incorrect or server not responding
- Firewall blocking VPN ports (UDP 500, 4500 for L2TP; TCP 443 for SSTP)
- Pre-shared key mismatch between client and VPN server
- NAT device between client and server not supporting IPsec passthrough
- Windows VPN client behind double NAT causing L2TP failures
Steps
- 1Verify VPN server address and test connectivity: ping or telnet to the server address
- 2For L2TP behind NAT: add registry key AssumeUDPEncapsulationContextOnSendRule=2 (DWORD) at HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent
- 3Check firewall: ensure UDP 500, 4500 (L2TP) or TCP 443 (SSTP) are open
- 4Verify pre-shared key matches the server configuration exactly
- 5Try IKEv2 or SSTP protocol instead of L2TP if NAT traversal issues persist
- 6Restart IPsec service: net stop ikeext && net start ikeext && net stop PolicyAgent && net start PolicyAgent